Locate your API key (Primary Key) in the Dropbox Sign API settings; this key is the HMAC secret used to verify event payloads — only the Primary Key generates the event_hash
On receiving a callback POST, extract event_time and event_type from the event object in the JSON body
Concatenate event_time and event_type as a string (in that order, no separator), then compute HMAC-SHA256 of this string using your API key as the secret
Compare your computed digest (hex-encoded) against the event_hash field in the callback payload; if they match, the callback is authentic
Return HTTP 200 with the body Hello API Event Received to acknowledge the event; Dropbox Sign re-delivers events that do not receive this exact acknowledgment
Known gotchas
Only the designated Primary Key generates the event_hash; if you rotate keys and a different key becomes primary, your verification will fail until you update the secret used in your HMAC computation
The required acknowledgment response body is the literal string Hello API Event Received; a 200 with an empty body or different body text is treated as a failure and triggers re-delivery
Dropbox Sign SDKs provide helper methods for event verification; prefer the SDK helper over a hand-rolled implementation to avoid subtle encoding or ordering errors
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp